Knowledge-based authentication (KBA) involves deriving questions regarding a particular user from facts in a database, and then asking that user one or more of the derived questions to verify the authenticity of the user. For example, KBA accesses facts such as addresses, mortgage payments, and driving records from a LexisNexis® server, a credit bureau or a motor vehicle registry.
Some conventional KBA systems use pilot questions to determine the quality of the questions being provided to users. Such pilot questions appear to the users as normal KBA questions. Rather than use the pilot questions to authenticate users, however, such systems use the pilot questions to evaluate whether the pilot questions are effective for authentication. As such, the pilot questions represent a feedback mechanism for the KBA systems in generating new KBA questions.
The conventional KBA systems that employ pilot questions use a manual inspection of pilot question results for guidance on building new KBA questions. In a typical case, an administrator evaluates pilot question results and bases new KBA questions on the pilot questions that were answered correctly most often by those users successfully authenticated. Such an administrator's experience and knowledge of KBA policies play a role in determining the form of the new KBA questions.